c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
Size

94KB
MD5

b50603db66413f03c2c2d396c1e05dc0
SHA1

9aa8417c78819573d421c08546e9386a814649f1
SHA256

c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643
SHA512

895c6903c4240af9edd75d06c68b9dec82d3e264745f12162f091a9938fc8410a91f25b908b018be71b6bb4f516f63729a381d2f6fa63fe38e077e244f8eea24
SSDEEP

1536:V7Zf/FAxTWoJJZENTBHfiP3zHQYL5HRXxkcKck:fny1tESQM5HRXxkBck

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2886) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2016-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b000000012029-2.dat	upx
behavioral1/files/0x000400000001043d-6.dat	upx
behavioral1/memory/2016-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Chess\es-ES\Chess.exe.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationCore.resources.dll.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Srednekolymsk.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\System\DirectDB.dll.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\New_York.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Internet Explorer\pdm.dll.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar.tmp	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe

C:\Users\Admin\AppData\Local\Temp\c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe
"C:\Users\Admin\AppData\Local\Temp\c1d1f48f7d75faf372edc3d5142a459234e87963b6b7f9ceb60258f34ef27643N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
95KB

MD5
fb779929c8bda2ab3ba0af1a15b03f7d

SHA1
93c0de57a4c8aab5fb44c6489f690935293109e4

SHA256
7114fbba2a5a1f16a79de509695c0afcf4a040cb15b04b08a7fdc6a0921c2da7

SHA512
a19bc88250cd3470cccd67f95cbf30c7ba1507b5d3d64edc9c072c2f029fe51e22c46041ebac9eb6a45ae89bf40033aced6ef24b3df693de36b13f7ff347a6cc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
104KB

MD5
3de7893f6bd1b302460c9896d8e27cb7

SHA1
76cedca33f915e097708a32b3e65e57143af4dc8

SHA256
5ed4ae1b2248b26c2cbdbb679ec10c1e8465d3be40e417f6180be2f6ceffd8c6

SHA512
3398e992eeb1e0fd2d10d2807eb9f774650a90d66463d6d8711095ff827e049bd4e34bead6b8a5c4aba74e611bf440966c0fc0bd41769e196202d6f5514977cc

Download Submit
memory/2016-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2016-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download